OpenSSL::Cipher::CipherError: wrong final block length #44

Closed
northband opened this Issue Sep 20, 2012 · 16 comments

Projects

None yet

9 participants

@northband

Gosh - I can't win - the column is encrypted in the DB (yay) but now I'm getting this when trying to decrypt:

ruby-1.9.2-p290 :009 > u.dob

OpenSSL::Cipher::CipherError: wrong final block length
from /Users/northband/.rvm/gems/ruby-1.9.2-p290/gems/encryptor-1.1.3/lib/encryptor.rb:62:in final' from /Users/northband/.rvm/gems/ruby-1.9.2-p290/gems/encryptor-1.1.3/lib/encryptor.rb:62:incrypt'
from /Users/northband/.rvm/gems/ruby-1.9.2-p290/gems/encryptor-1.1.3/lib/encryptor.rb:44:in decrypt' from /Users/northband/.rvm/gems/ruby-1.9.2-p290/gems/attr_encrypted-1.2.1/lib/attr_encrypted.rb:179:indecrypt'
from /Users/northband/.rvm/gems/ruby-1.9.2-p290/gems/attr_encrypted-1.2.1/lib/attr_encrypted.rb:262:in decrypt' from /Users/northband/.rvm/gems/ruby-1.9.2-p290/gems/attr_encrypted-1.2.1/lib/attr_encrypted.rb:126:inblock (2 levels) in attr_encrypted'
from (irb):9
from /Users/northband/.rvm/gems/ruby-1.9.2-p290/gems/railties-3.2.8/lib/rails/commands/console.rb:47:in start' from /Users/northband/.rvm/gems/ruby-1.9.2-p290/gems/railties-3.2.8/lib/rails/commands/console.rb:8:instart'
from /Users/northband/.rvm/gems/ruby-1.9.2-p290/gems/railties-3.2.8/lib/rails/commands.rb:41:in <top (required)>' from script/rails:6:inrequire'
from script/rails:6:in `

'

Any ideas?

@mlchai
mlchai commented Sep 20, 2012

I got this error before. Make sure that you're not setting your encrypted attribute directly, and also make sure the key you're using is ok. I just searched google for a random 256 key generator and used that key.

@northband

Thanks - I grabbed a 256bit key, and am using it. Also - encrypting user.dob (virtual attrib) vs. user.encrypted_dob. Its going in encrypted - but when I do 'user.dob' keep getting the 'OpenSSL::Cipher::CipherError: wrong final block length' error.

@josegrad

Hi, just having this issue. The funny thing is that I'm using some encrypted attributes on some fields from 3 models. No problem with 2 of the models and now with the users model I get this error. I should have followed the same procedure but I can't spot the difference. Did you manage to find the problem in your case?

Cheers.

@northband

Gosh I didn't - I'm going to get back to it soon as I need to resolve it
or use a different solution.

On 10/24/12 5:32 PM, josegrad wrote:

Hi, just having this issue. The funny thing is that I'm using some
encrypted attributes on some fields from 3 models. No problem with 2 of
the models and now with the users model I get this error. I should have
followed the same procedure but I can't spot the difference. Did you
manage to find the problem in your case?

Cheers.


Reply to this email directly or view it on GitHub
#44 (comment).

@josegrad

I gave away about encrypting the user fields, also I'm using sorcery for authentication and encrypting those was adding extra complexity. I think I covered the thing protecting the other models. I'm curious to know which route you take and if you manage to find the solution.

Cheers.

@schir1964

Just wanted to point out that if the field the encrypted value is stored in is a generic text field (like in MySQL) then it's possible to get unwanted padding to the value when pulling it back out (at least that is what I've read). The recommendation (for MySQL) was to use a BLOB field type for storing encrypted values. Not sure this even applies here but just something to check.

@josegrad

Thanks. I wasn't aware of that recommendation. I'm using this gem in several projects and never used blob for it. I'm on postgresql though I'm not sure if that makes any difference.

@raid5
raid5 commented Apr 29, 2013

Still stumbled across this problem also.

@billymonk
Member

@northband,

What database are you using and do you have any limits on the length of the encrypted column? We were able to replicate this issue with a MySQL database and a column whose limit caused the encrypted value to be truncated.

I would check that the encrypted value stored in the database is the same as the encrypted value that is returned when a value is encrypted.

Thanks

@sbfaulkner
Member

closing for now. unless reproducible details are available #52 may suffice to address this based on our testing.

@sbfaulkner sbfaulkner closed this Nov 15, 2013
@pdsullivan

I am getting this error. Using postgres. Was there ever a resolution?

@saghaulor
Contributor

@pdsullivan Please provide more info.

@pdsullivan

Hey @saghaulor

Here is the full error I am getting

OpenSSL::Cipher::CipherError: wrong final block length
from /Users/patrick/.rvm/gems/ruby-2.2.2/gems/encryptor-1.3.0/lib/encryptor.rb:73:in `final'

What i am doing is setting the user's ssn like so user.ssn = '888888888' then i am able to access it by just doing user.ssn in memory but when i do user.save and and user.reload and try to access the ssn again i get that error.

also just so it is said, in my database i have the column called encrypted_ssn.

In my model i am using the attr_encrypted. I have tried it with and without the :encode => true

attr_encrypted :ssn, :key => ENV["KEY"], :encode => true

@saghaulor

@saghaulor
Contributor

@pdsullivan can you please include the line where you're using attr_encrypted in your User model?

@pdsullivan

and the encrypted_ssn column is added as string type

def change
    add_column :users, :encrypted_ssn, :string  
end
@saghaulor
Contributor

@pdsullivan what ORM are you using?

Also, just an FYI:

  1. It looks like you're using a generic IV (:single_iv_and_salt). This is not very safe. In fact it's not recommended.
  2. You're using the string column type and base64 encoding the ciphertext. This is not required. You can use the binary column type and not encode and thing should still work, saving some time.
  3. Depending on what db you use, it may have dangerous defaults. Namely, older versions of mysql will truncate data silently if it exceeds the column length. You should be fine with a short string like SSN, but please be mindful of that. You turn on strict mode in Mysql so that it will raise an exception if the data exceeds the column max length.
  4. If you're just getting started with attr_encrypted, please stay tuned. I'm about to push a v2.0 that significantly improves the default security.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment